Sophos, a global leader in innovating and delivering cybersecurity as a service, released the findings of its fourth “The Future of Cybersecurity in Asia Pacific and Japan” report in collaboration with Tech Research Asia (TRA). The report found that 86 per cent of Australian respondents in cybersecurity and IT roles are impacted by burnout and fatigue.

The study revealed that burnout is felt across almost all aspects of cybersecurity operations, with 30 per cent of Australian respondents saying that feelings of burnout increased “significantly” in the last 12 months, and 43 per cent of Australian respondents stating this burnout made them “less diligent” in their cybersecurity roles. Dangerously, 19 per cent of Australian respondents identified that cybersecurity burnout or fatigue contributed to, or was directly responsible for, a cybersecurity breach, and 17 per cent of Australian companies experienced slower than average response times to cybersecurity incidents.

Causes of Cybersecurity Burnout and Fatigue

The five main causes of cyber burnout and fatigue in the report include:

1. A lack of resources available to support cybersecurity activities
2. The routine aspects of the role, which create a feeling of monotony
3. An increased level of pressure from board and/or executive management
4. Persistent alert overload from tools and systems
5. Increase in threat activity and the adoption of new technologies that foster a more challenging, always on environment.

The Impact Of Burnout And Fatigue On Cybersecurity Employees

The study revealed that in Australia:

• 43 per cent felt they are not diligent enough in their performance
• 20 per cent felt heightened levels of anxiety if subject to a breach or attack

• 29 per cent experience feelings of cynicism, detachment and apathy towards cybersecurity activities and their responsibilities
• 22 per cent stated it makes them want to either resign or change career (23 per cent of all surveyed have acted on this and resigned)
• 9 per cent feel guilty that they cannot do more in their role to support cybersecurity activities

“At a time when organisations are struggling with cybersecurity skills shortages and an increasingly complex cyberattack environment, employee stability and performance are critical for providing a solid defence for the business. Burnout and fatigue are undermining these areas and organisations need to step up to provide the right support to employees especially when, according to our research, 19 per cent of Australian respondents identified that cybersecurity burnout or fatigue contributed to, or was directly responsible for, a cybersecurity breach,” said Aaron Bugal, field CTO at Sophos.

“This Sophos and TRA report provides timely insight into organisational cyber stress and demonstrates that things need to change. Although there’s not a simple fix, an attitude adjustment would go a long way to define the right expectations around what it means to evolve into a cyber-resilient business. Boards and executive committees need to drive change and demand responsibility from their deputised charges, in essence for better governance around cyber approaches. However, they need to clearly articulate their accountability in developing and maintaining a plan because cybersecurity is now a perpetually interactive sport – and there needs to a team that provides adequate coverage around the clock.”

The Impact Of Cybersecurity Burnout And Fatigue On Business Operations

There were four key areas where cyber burnout and fatigue had a direct impact on Australian business operations:

• Direct contribution to breaches: 19 per cent of respondents identified that cybersecurity burnout or fatigue contributed to, or was directly responsible for, a cybersecurity breach.
• Slower response times to cybersecurity incidents: 17 per cent of companies experienced slower than average response times to cybersecurity incidents.
• Lost productivity: Businesses are experiencing a productivity loss of 3.8 hours per week amongst cybersecurity and IT professionals, compared to 4.1 hours on average per week across APJ.
• Resignations and employees moving on: Stress and burnout were directly attributed as a cause of cybersecurity and IT professional resignations in 23 per cent of companies. Organisations also noted that, on average, 16 per cent of them had “moved on” as a cybersecurity or IT employee due to cyber burnout leading to performance issues.

About This Research

Sophos commissioned Tech Research Asia (TRA) to undertake research into the Asia Pacific and Japan cybersecurity landscape. This included a major quantitative component with a total of 919 responses captured from Australia (204 companies), India (202), Japan (204), Malaysia (104), The Philippines (103) and Singapore (102).